前言
我的linux服务器运行的是centos8; nginx采用的是docker-compose部署的方式,采用certbot docker容器申请和自动续期encrypt证书
1:docker安装certbot容器 并且停止nginx容器
docker pull certbot/certbot
docker-compose stop nginx-proxy
2:创建letsencrypt目录存放证书与之前手动下载的证书区分
我的letsencrypt目录为 /data/nginx/certs/letsencrypt
3:修改nginx下两个站点的配置文件的ssl路径为lets encrypt的证书文件
点击查看代码
# /docker/nginx/conf.d/thinkphp.conf
server {listen 443 ssl http2;server_name tp.example.com;ssl_certificate /etc/nginx/certs/letsencrypt/live/tp.example.com/fullchain.pem;ssl_certificate_key /etc/nginx/certs/letsencrypt/live/tp.example.com/privkey.pem;location / {proxy_pass http://thinkphp-app:9000; # 假设你的 ThinkPHP 容器名为 thinkphp-appproxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;}
}server {listen 80;server_name tp.example.com;return 301 https://$host$request_uri;
}4:运行certbot申请证书
在 /data/nginx 目录下运行
点击查看代码
docker run --rm \-v $(pwd)/certs/letsencrypt:/etc/letsencrypt \-v $(pwd)/logs/letsencrypt:/var/log/letsencrypt \-p 80:80 \certbot/certbot certonly \--standalone \--non-interactive \--agree-tos \--email 2607771759@qq.com \--domains wordpress.leyanpei.com
成功后会有如下提示 
5:重启nginx
在 /data/nginx 目录下运行 docker-compose up -d
6:设置自动续期
在 /data/nginx 目录下创建脚本renew-certe.sh 内容如下
点击查看代码
#!/bin/bash
cd /data/nginx# 停止 nginx(释放 80 端口)
docker-compose stop nginx-proxy# 续期证书
docker run --rm \-v $(pwd)/certs/letsencrypt:/etc/letsencrypt \-v $(pwd)/logs/letsencrypt:/var/log/letsencrypt \certbot/certbot renew --quiet# 重启 nginx
docker-compose up -d
赋予执行权限 chmod +x /data/nginx/renew-certs.sh
添加定时任务 crontab -e
每周日凌晨2:30执行
30 2 * * 0 /data/nginx/renew-certs.sh >> /data/nginx/logs/certbot-renew.log 2>&1
遇到的坑
成功运行完4的命令后letsencrypt文件夹下没有证书文件
查看/data/nginxlogs/letsencrypt下的日志发现 证书存放的文件是
点击查看代码
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/wordpress.leyanpei.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/wordpress.leyanpei.com/privkey.pem